URI Notifies Individuals of Data Exposure from a server in the College of Business

KINGSTON, R.I. -- August 27, 2012 -- The University of Rhode Island is notifying approximately 1,000 current and former faculty members that certain personal information that appeared on a publicly shared College of Business Administration computer server was accessed and able to be viewed by unauthorized individuals. The University took immediate corrective action to shut down the server.

The University is not aware of any reports of criminal activity or identity theft related to the information that was exposed. The ongoing investigation indicates that certain personal identity information had been placed on a server that was not set-up or intended to be used for storing this type of sensitive information.

In addition to the faculty members, 22 former URI students are also being notified that their information was contained on the server. No personal information for current URI students was contained on the server. In addition, we are working with an out-of-state attorney general’s office to assist with notifications to about 80 students from another school who were affected.

The server had been used by faculty in the business college to upload and share course information. The incident was isolated to one server in the college. Based on the investigation to date, no current students and no faculty hired after April 2007 are impacted.

“The University of Rhode Island takes the protection of personal information seriously. Our priority has been and continues to be the identification of the exact nature and scope of this breach and to communicate directly with those who are affected,” said Donald H. DeHayes, provost and vice president for academic affairs.

“We apologize to those who are impacted by this incident. Although no cases of fraud or identity theft have been reported to date, we are taking proactive steps to assist those whose personal information was exposed.”

The University will provide 12 months of credit monitoring and identity protection services for those affected by the exposure of their personal data. The University has engaged Identity Theft 911, a company that specializes in identity theft education and resolution, to provide this service, which includes credit monitoring, alerts regarding any inquiries, and file updates or credit changes to the individual’s credit bureau file.

The University is personally notifying each individual impacted by letter with information about accessing the credit and identity protection services at the University's expense.

Additionally, the University has posted a dedicated web site with frequently asked questions and precautions that individuals can take to safeguard personal information. The website is www.uri.edu/datanotice.

"Education and training of the campus community about issues pertinent to secure systems and confidential data is ongoing and critical to minimizing the potential for security breaches. This is a serious incident, and we are committed to assisting those affected," said Mike Khalfayan, associate director of information security.